Merge cherrypicks of [16816308, 16630867] into sc-v2-release.android-vts-12.1_r2 android-cts-12.1_r2 android-12.1.0_r4 android-12.1.0_r3

Change-Id: I5817aa8c870e5e8f2849644bdd966813d55960e3
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2022-02-14 23:14:03 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2022-02-14 23:14:03 +0000
commit: 9827945fd41eb3c7940b5ce983e21757fdbae5f6 (patch)
tree: 123c78e6251240bc56731b1b999dfec14b1051cd
parent: f8f00629d484c70309df83210afeaee321654587 (diff)
parent: 2ed08261136fe59edd04af2b186bf0413aea108f (diff)
download: bt-9827945fd41eb3c7940b5ce983e21757fdbae5f6.tar.gz
2 files changed, 13 insertions, 0 deletions
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 2141bf179..0555af06f 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -581,6 +581,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
                        p_result->get_caps.capability_id,
                        p_result->get_caps.count);
       if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID) {
+        if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_COMP_ID) {
+          android_errorWriteLog(0x534e4554, "205837191");
+          return AVRC_STS_INTERNAL_ERR;
+        }
         min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;
         if (len < min_len) goto length_error;
         for (int xx = 0; ((xx < p_result->get_caps.count) &&
@@ -590,6 +594,10 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
         }
       } else if (p_result->get_caps.capability_id ==
                  AVRC_CAP_EVENTS_SUPPORTED) {
+        if (p_result->get_caps.count > AVRC_CAP_MAX_NUM_EVT_ID) {
+          android_errorWriteLog(0x534e4554, "205837191");
+          return AVRC_STS_INTERNAL_ERR;
+        }
         min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);
         if (len < min_len) goto length_error;
         for (int xx = 0; ((xx < p_result->get_caps.count) &&
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index b826dc19c..16454a5b0 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -811,6 +811,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
     case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
       uint16_t result;
+      if (p + sizeof(uint16_t) > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "212694559");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
       STREAM_TO_UINT16(result, p);
 
       L2CAP_TRACE_DEBUG(
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-02-14 23:14:03 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-02-14 23:14:03 +0000
commit	9827945fd41eb3c7940b5ce983e21757fdbae5f6 (patch)
tree	123c78e6251240bc56731b1b999dfec14b1051cd
parent	f8f00629d484c70309df83210afeaee321654587 (diff)
parent	2ed08261136fe59edd04af2b186bf0413aea108f (diff)
download	bt-9827945fd41eb3c7940b5ce983e21757fdbae5f6.tar.gz